Is my contract data safe from outsiders?
Your contracts are encrypted when stored and when moving between you and PactAlert. Documents are held in cloud object storage operated by AWS in an EU region. Access to a document goes through a short-lived signed link that expires after one hour, so a link that leaks stops working quickly.
Obligations and workspace data sit in a managed PostgreSQL database. All connections to PactAlert are secured with TLS.
Who at PactAlert can see my contracts?
Your workspace is isolated from every other customer's workspace. On every request our system handles, we re-check that the user actually belongs to the workspace they're asking about — we don't rely on a cached token for that decision.
You decide who on your team can access each workspace, with separate permission levels for people who need to sign off vs. people who just need to see.
On our side, access to production customer data is limited to a small number of engineers who need it to operate the service. We do not yet have formal staff-access logging in place; it's on our near-term roadmap.
What do you do with my data? Do you train AI on it?
We do not train AI on your contracts. We use OpenAI's API to extract obligations from the text you upload; OpenAI's standard API terms prohibit using that data to train their models, and we retain only what's needed to show and re-run extractions inside your workspace.
We do not sell your data, share it with advertisers, or feed it into marketing tools. The only places your data leaves PactAlert's infrastructure are the subprocessors listed below.
Can I legally put my client's contract data here?
PactAlert is operated by RubiDev OÜ, a private limited company registered in Estonia (registry code 16935750). Customer data is hosted on AWS infrastructure in an EU region.
We will sign a Data Processing Addendum on request — email us and we'll send our standard DPA. Under GDPR we act as a processor; you act as controller. We honor access, correction, and deletion requests — we currently handle them manually while our self-serve equivalents are being built.
Operator of Record
RubiDev OÜ
Vesivärava tn 50-201, Tallinn 10152, Estonia · Registry 16935750
Subprocessor ledger
4 entries · reviewed Apr 2026Note —If you connect Jira, Notion, Trello, Slack, DocuSign, or similar, obligation data flows to those tools under your account. They are your integrations, not ours.
What happens if something goes wrong?
If we discover a security incident affecting your data, we will notify affected workspaces directly and in writing, with the facts we know at the time. When GDPR applies, we aim to notify within 72 hours of discovery, consistent with the regulation.
Incident response today is handled by our engineering team on an on-call basis.
What if I want to leave?
You can cancel your subscription and delete your workspace at any time from your account settings — deletion runs immediately and removes your data from our active systems.
Data export is still handled manually today — email us and we will send your export within 30 days. Self-serve export is on our near-term roadmap.
── In Progress ──
What we're
working on.
On our near-term security roadmap. No dates committed — we ship when it's honest.
- 01Two-factor authenticationNear-term
- 02Self-serve data exportNear-term
- 03Production error & uptime monitoringNear-term
- 04Application-level rate limiting on sensitive endpointsNear-term
- 05Formal staff-access loggingNear-term
Contact
Security questions
or a DPA to sign?
Email us. A human replies — usually within a business day.
[email protected]→